VDB
GCVE-110-OSM-2026-1827
GCVE-110-OSM-2026-1827
Advisory PublishedCVSS 9.6/10
Multi-chain stealer with persistent SSH backdoor. Executes at postinstall via node test.js. Payload is a doubly-escaped Function('qUEpOZp', codeString) wrapper with 48 base91 alphabets — static tools (webcrack, synchrony) cannot decode it. Attack chains: (1) SSH persistence: fetches attacker public key from cloudflareinsights.vercel.app/api/ssh-key, writes to ~/.ssh/authorized_keys, executes sudo ufw enable and sudo ufw allow 22/tcp — backdoor survives package removal; (2) Filesystem exfiltration: crawls for .env, id.json, config.toml (crypto wallet files) and POSTs them to C2 as octet-stream; (3) System fingerprint beacon to /api/v1; (4) Dynamic C2 tasking via /api/scan-patterns and /api/block-patterns. Cross-platform: Linux, macOS, Windows (wmic logicaldisk get name for drive enumeration). C2 infrastructure impersonates Cloudflare analytics and security branding on Vercel PaaS.
test.js (27KB, postinstall entry): Function('kqtIJj5', codeString)(env) wrapper containing 8 decoder functions with distinct base91 alphabets. index.js (189KB, required by test.js): Function('qUEpOZp', codeString)(env) wrapper containing 48 decoder functions, 460-element encoded string array (rotation offset 0x1b=27), and switch/case state machine implementing all four attack chains. C2 URLs split into 8-char string chunks to evade regex. SSH key delivered dynamically from /api/ssh-key (not hardcoded), allowing operator key rotation without re-publishing.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | lint-nule | 1.0.4 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.